Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
There is a Linux Security forum here on LQ. Hit the report button and ask to have your post moved there. You're probably going to be asked for a lot of information by some very well qualified people, and you're probably going to wind up having to completely rebuild your server (it is your server?). Good luck!
There is a well known problem where the Apache web server can be made to serve Windows viruses. Are you running the Apache web server software?
You may find answers faster if you use Google to search for information. I searched Google for "apache virus serving" and got some good links. A little imagination can result in other good search strings.
Yes, I am running apache on that server and serving cgi. I found the malicious content and removed it. but how to trace how someone got into the server and created those contents? and prevent that from happening again?
I have notice that server was hacked and contects was put in the webserver folders - now I think the server is on "Sites serving malicious content"
How did you find out? What did you notice?
Quote:
Originally Posted by bonobo09
I found the malicious content and removed it. but how to trace how someone got into the server and created those contents? and prevent that from happening again?
Removing files is a good way to stop serving them. However it does not stop people from uploading files again. To help you with that we need more information from you. Like if your system and application logs show any "weird errors" and what software you run on top of your webserver. Do you run a CMS or forum software? And what versions? Do you run FTP? Statistics software like awstats? Prevention we should talk about only after you have stabilized the current situation and know how to deal with the aftermath. For now please post a listing by running (adjust paths and output if necessary): '( /bin/ps -axfwwwe 2>&1; /usr/sbin/lsof -P -w -n 2>&1; /bin/netstat -anpe 2>&1; /usr/bin/w -lf 2>&1; /usr/bin/last 2>&1 ) | tee /tmp/log' and shut down (and keep from restarting) any running webserver, database, ftp and other publicly accessable services you do not need for managing the server (basically you'll only need SSH to access it). Please post as much information as possible and check back regularly because we might want you to run more commands.
Quote:
Originally Posted by stress_junkie
There is a well known problem where the Apache web server can be made to serve Windows viruses.
Awesome! Could you please share the details of that "well known problem"? I'm really curious as to what this would be then.
Quote:
Originally Posted by stress_junkie
You may find answers faster if you use Google to search for information.
People search LQ to find help with their problems. They might join LQ if they require more help. Telling them then to "go Google" does not really help a user if s/he does not know what the problem is or what to look for, especially in cases like these.
I'm sure that I originally read about it elsewhere.
Quote:
Originally Posted by unSpawn
People search LQ to find help with their problems. They might join LQ if they require more help. Telling them then to "go Google" does not really help a user if s/he does not know what the problem is or what to look for, especially in cases like these.
Having just done the Google search for this issue I can say that useful information was not as easy to find as I had expected. This was a big brouhaha just five months ago.
I understand your point but in some cases a question poster would find more information faster by using a web search site than by waiting for an answer here. I just reread the LQ rules. This isn't mentioned. I thought that it was.
It was surprisingly difficult to find any reference to this (..) I'm sure that I originally read about it elsewhere.
Thanks for following up. The link you posted points to the "Random JS rootkit". Addressing your "well-known problem where the Apache web server" comment this does not expose a flaw in Apache, meaning the references point to "traditional" avenues of attack and mitre.org doesn't show any CVE's that appear to be related. (For reference, in discovery > disclosure > protection order: The Register, Slashdot, linux.com, SANS ISC, Trendmicro, Finjan, servertune.com, servertune.com, SANS ISC, SANS ISC)
Quote:
Originally Posted by stress_junkie
I understand your point but in some cases a question poster would find more information faster by using a web search site than by waiting for an answer here. (..) I think that there is a balance between providing information on request and asking someone to be a little bit self sufficient. Maybe I'm wrong.
You're not wrong about there being a balance. Speaking in general terms even when faced with overly broad questions we should take the time to point out how to ask questions or where to find documentation. Those that posess more than new user level knowledge must realise that for people getting to the point where they truly are self-sufficient requires time, effort and dedication. As goes for all of us even then there will be areas of expertise where help, guidance or a second opinion is appreciated. More than that it is LQ's primary goal to serve as a quality knowledge base. That means that with each unresolved question we have the opportunity to "write documentation" as it were that helps this LQ member now but will also help other GNU/Linux users later on. And when combined with a structured approach to troubleshooting, the educational "added value" will serve as a good example of how to foster self-sufficiency. Still speaking in general terms for some this could mean dropping the "get first reply in" attitude altogether, for others doing (more) research before they post and for others not dismissing a thread having one or more replies as "solved". Me writing this does absolutely not exclude me from not seeing the same pitfalls at times...
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.